The Tuffmail system provides over 20
technical and blocklist restrictions to reject spam at the MX
servers. You can select which restrictions to enable per address
or use one of four settings from 'None' to 'Very Agressive'. We
feel that the most effective way to deal with spam is to reject
messages from known spam sources and score the rest.

In addition to any restrictions you configure, the following minimal
restrictions must be met before we will accept email from the client.

The connecting client must issue a HELO or EHLO command.

The envelope recipient must be fully qualified, ie: `bob@tuffmail.com'.
We have to know whether the email is for `bob@tuffmail.com'
or for `bob@yourdomain'.

The following restrictions, and any user configured restrictions,
can be bypasssed with a user controlled Allow list entry for the
full envelope sender address, the envelope sender domain, the client
IP address, or a CIDR network. Any email rejected by the following
restrictions is guaranteed to be spam.

The connecting client must not issue a HELO or EHLO command that
masquerades as a Tuffmail machine or masquerades as a machine in the
aol.com, compuserve.com, yahoo.com, or earthling.net domain. This
is an attempt to bypass filters and is guaranteed to be spam.

The connecting client must not use `pipelining' without issuing a
EHLO command.

The connecting client IP address and/or the envelope sender domain
must not be in the global blocklist.

We use a global blocklist as needed to keep broken mail servers
from filling our logs with junk. Some mail servers think that email
rejected with a temporary failure code means to try again in a few
seconds and keep trying every few seconds. A typical case is when
you have enabled the restriction that says that the sender domain
must be a valid domain name and resolve to an IP address or an MX
record. If we are unable to determine the domain valididy in a
reasonable amount of time we tell the client to try again later.
In most cases the domain is a typo or is truly bogus like
`server.ncs.local' which will never resolve. We add the domain to
the global block list and a permanet failure code will be issued
on the next attempt to send the email.

The global blocklist is also used to temporarily reject virus
infected email that uses a fairly constant envelope sender like the
recent Sobig-E virus that sent email with <support@microsoft.com>
as the envelope sender.

The global blocklist has two semi-permanent entries, `home.com'
which is no longer active and is widely forged by spammers and
`windowsupdatenow.com', a pure scam domain.